
Agenda 




What is SSO Corporate access collection? 

(TS//SI//NF) Access and collection of telecommunications on cable, switch network, 
and/or routers made possible by the partnerships involving NSA and commercial 
telecommunications companies. 
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Brief discussion of global telecommunications infrastructure. 

How access points in the US can collect on communications from "bad guy" countries 
(least cost routing, etc.) 
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Access to massive amounts of data 



Controlled by variety of legal authorities 
Most accesses are controlled by partner 
Tasking delays 



(TS//SI//NF) Key Points: 

1) SSO provides more than 80% of collection for NSA. SSO's Corporate Portfolio 
represents a large portion of this collection. 

2) Because of the partners and access points, the Corporate Portfolio is governed by 
several different legal authorities (Transit, FAA, FISA, E012333), some of which 
are extremely time-intensive. 

3) Because of partner relations and legal authorities, SSO Corporate sites are often 
controlled by the partner, who filters the communications before sending to NSA. 

4) Because we go through partners and do not typically have direct access to the 
systems, it can take some time for OCTAVE/UTT/Cadence tasking to be updated 
at site (anywhere from weekly for some BLARNEY accesses to a few hours for 
STORMBREW). 
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Explanation of how we can collect on a call between (hypothetically) Iran and Brazil 
using Transit Authority. 

Discuss how foreign-to-foreign ness must be proved (particularly difficult for DNI). 
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•(S//SI) Transit Authority - Only allows those SSO programs operating under this 
authority to collect communications which are confirmed to be foreign-to-foreign. 

• (S//SI) SSO programs operating under this authority have filters at their collection 
front-ends to ensure only authorized traffic (i.e. foreign-to-foreign) is forwarded to 
the DNR and DNI selection engines (driven by UTT/CADENCE/OCTAVCE tasking). 

• (S//SI) Despite best efforts, occasionally there may be an "authorized" DNR or DNI 
hit forwarded to the TOPI, which based on TOPI analysis eventually determines that 
one-end of the intercept is actually in the US. We refer to this as a "domestic 
incident". This usually occurs in the DNR world, where one-end of the intercept will 
make a reference to being in the US. 

• (C) TOPI's must inform SSO Corp Team when this occurs via email alias 
^^^^■SSO files a formal report to NSA/SV for each occurrence of a domestic 
incident. 
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Corporate Portfolio 



FAIRVIEW 

(C) US-990 

BLARNEY 
(C) US-984 
(C) US-984X* 

STORMBREW 

(C) US-983 

(C) US-3140 



FAIRVIEW 



FISA collection 
FAA collection 



STORMBREW 

MADCAPOCELOT 



SSO Corporate/TAO Shaping 
(C) US-31 05S1 DARKTHUNDER 
(C) US-31 05S1 STEELFLAUTA 



OAKSTAR 
(C) US-3206 
(C) US-3217 
(C) US-3230 
(C) US-3247 
(C) US-3251 
(C) US-3273 
(C) US-3277 
(C) US-3354 




MONKEYROCKET* 

SHIFTINGSHADOW 

ORANGECRUSH 

YACHTSHOP 

ORANGEBLOSSOM 

SILVERZEPHYR 

BLUEZEPHYR 

COBALTFALCON 



Systems under a corporate program can be completely unrelated to one another 
(e.g., everything in OAKSTAR is different). 

*MONKEYROCKET is expected to become operational in spring 2012. 
Blue-colored systems operate under Transit Authority. 

US-3150 is an umbrella SSO SIGAD for the Extended Enterprise. 



8 




Key points: 

1) Explanation of Port 25 and 3-Swing Algorithm. 

2) 60 million foreign-to-foreign emails in the FAIRVIEW environment ever day; 5 
million after 3-Swing Algorithm. 

3) FAA collection under SIGADs US-984XR and US-984X2. FISA collection under 
SIGAD US-984T (COWBOY). 

4) Tasking through UTT, Cadence, and OCTAVE. 

5) Data in PINWALE (YANKEE), XKEYSCORE, MAINWAY, TOYGRIPPE, BLACKPEARL, 
TWISTEDPATH, NUCLEON, and DISHFIRE. 
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Discussion of the breadth of the FAIRVIEW program. 





Key Points: 

1) Access to mid-point collection (cable, switch, and router) at seven sites and 
approximately 130 circuits. 

2) DNR collection falls under Transit and FAA Authorities. DNI is limited to FAA and 
FISA - cannot collect DNI under Transit Authority like FAIRVIEW. 

3) Difference between WHITESQUALL (international gateway switch access; 
thousands of trunk groups connected worldwide), MISTRALWIND (calling card/ 
private network access), SERRATEDEDGE (conflict number access) 

4) STORMBREW collects under the FAA Authority using the SIGADs US-984X(A-H) for 
DNI and US-984X1. 

5) STORMBREW handles limited FISA-related tasking using the SIGAD US-984P 
(PERFECTSTORM) and PDDG AX. 

6) STORMBREW is tasked in UTT and OCTAVE. 

7) Data is retrieved in PINWALE, NUCLEON, and DISHFIRE. 
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1 ) 

2 ) 

3) 



New access under the STORMBREW umbrella. 

MADCAPOCELOT has a ccess to multiple 1 0G internet backbone circuits, including 
several that service the^^|^^^^^ 

Three-step tasking process: 1) an unclassified IP address and signature promotion 
list will be reviewed and approved by S2/S3 GCM equity process, 2) strong 
selection will be accomplished by UTT site group (SSO_WO), 3) filtering and 
targeting logic managed by TMM will be levied via a new CADENCE dictionary 
MADCAPOCELOT and CADENCE FIST MDCP. 



4) Collection can be accessed in PINWALE (TEXT partition) and metadata is accessed 
in MARINA. 
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US-984 BLARNEY 





(TS//SI) US-984 (PDDG: AX) - provides collection 
against DNR and DNI FISA Court Order authorized 
communications. 

(TS//SI) Key Targets: Diplomatic establishment, 
counterterrorism, Foreign Government, Economic 

(U//FOUO) “go BLARNEY” for more information. 



1) Operates under the authorities of NSA FISA, FBI FISA, and FAA. 

2) BLARNEY is the leading source of FISA collection, producing over 11,000 reports 
and is consistently a top contributor to the President's Daily Brief. The program 
contributes to over 60% of product reporting to the Counterterrorism product 
line and over 80% of the overall FAA reporting. 

3) In order to task BLARNEY, there must a valid Court Order for the target. Court 
order process: 

1) Court Order is signed or renewed. 

2) Selectors appear in the Court Order. 

3) Target Office decides what numbers to task. The Target Office submits a 



Managers with the selectors that should be tasked. 

4) When a Court Order is up for renewal and a currently tasked number is 
not going to be in the renewal, the TOPI is required to send a detask 
request for that selector. 

4) 11 different SIGADs, falling under BLARNEY, FAIRVIEW, and STORM BREW partners. 

5) PRISM falls under BLARNEY, but is just one access of many. 

6) The Court Order process is extremely long and time-intensive for everyone 

involved, but the collection payout is fantastic. 



task request (via email to 




to the BLARNEY Collection 
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1) FAA Collection falls under BLARNEY, FAIRVIEW, STORM BREW, or SILVERZEPHYR 
(OAKSTAR), but due to the stringent legal requirements of FAA, the programs use 
different SIGADs (under the format US-984X*). 
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Look at FAA. Just look at it. 
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Special Source Operations 

Corporate Partner Access 

Briefed by: 
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Overall Briefing Classification Is 
TOP SECRET/ /COMINT//NOFORN//X1 
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Relationships & Authorities 

• Leverage unique key corporate partnerships to gain access to 
high-capacity international fiber-optic cables, switches and/or 
routers throughout the world 

• Collection on U.S. soil is conducted under three different 
authorities: 

• Transit Authority : Collection of foreign intelligence 
communications which originate and terminate in foreign 
countries, but traverse U.S. territory 

• Foreign Intelligence Surveillance Act (FISA): Court ordered 
collection (NSA/FBI/FISA Court) 

• FISA Amendment Act of 2008 (FAA) : Surveillance in the US 
when the target is reasonably believed to be foreign 
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BLARNEY AT A GLANCE 
Why: Started in 1978 to provide FISA authorized access to communications of 
foreign establishments, agents of foreign powers, and terrorists 




External Customers 
(Who) 


Information Requirements 
(What) 


Collection Access 
and Techniques 
(How) 


Department of Shite 


Counter Proliferation 


DNI Strong Selectors 


Central Intelligence Agency 


Counter Terrorism 


DNR Strong Selectors 


United States UN Mission 


Diplomatic 


DNI Circuits 


White I louse 


Economic 


DNR Circuits 


Defense Intelligence Agency 


Military 


Mobile Wireless 


National Counterterrorism Center 


Political/Intention of Nations 




2 ikI Party-GBR, N'ZI, CAN, AUS 




Partnerships 

(Where) 


Legal Authorities 
(Approvals) 


Office of Director of National Intelligence 


Joint Chiefs of Staff 


Department of Homeland Security 


NS A - SSO, TAO, NIOC, CES, A&P... 


NSA FISA 


Office of Secretary of Defense 


CIA 


CT FBI FISA 


North Atlantic Treat)’ Organization 


FBI - Headquarters, NT, and DC 


MSA Amendment Act (FAA) 


FBI - Engineering Research Facility 


Cl FBI FISA 


Military’ Commands (Army, EUCOM) 


DOJ 


BR FISA 




Commercial Proriders 


PR/TT FISA 
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LITHIUM 

ARTIFICE 

ROCKSALT 

SERENADE 

ISP1 

ISP2 

Multiple wireless providers 
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BLARNEY Access 



70+ additional accesses across the U.S. from 
30+ providers for Domestic Long Distance, 
ISP, and Data Center collections. 
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FAIRVIEW At a Glance 



• Transit/FISA/FAA 

• DNI/DNR (content & metadata) 

• Domestic infrastructure only 

• Cable Stations/Switches/Routers (IP 
Backbone) 

• Close partnership vv/FBI 



OO^OA 






SCIFd Centralized 
Proces sing F aci li ty 



□ Peering Link Router Complex 
■ VoIP Router Complex 

□ Planned VoIP Router Complex 

♦ Hub VoIP Router Complex 

<0 Planned Hub VoIP Router Complex 
O Program Cable Station 
O Planned Program Cable Station 
O Non-program Cable Station 
A Rimrock 4ESS Circuit Switch 

★ Program Processing Site 
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Corporate Funding Profile 






FY10 


FY11 


PFR: 


S187.2M 


$205. 1M 


Cyber: 


S250.9M 


$122. 7M 


FISA: 


$ 41.4M 


$ 45.9M 


* Other: 


$ 0M 


$ 10. 0M 


TOTAL: 


$479. 5M 


$383. 7M 



* NCSC Cyber Zone 4 (OCONUS router expansion) 
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Program Funding. Break-out 





FY10 


FY11 


BLARNEY: 


$ 89.7M 


$ 88.0M 


FAIRVIEW: 


$232. 2M 


$188. 9M 


STORMBREW: 


$118. 0M 


$ 66.8M 


OAKSTAR: 


$ 39.6M 


$ 40. 0M 


TOTAL: 


$479. 5M 


$383. 7M 
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Corporate Strategic Initiatives 

• FISA Amendment Act (FAA) 

• Comprehensive National Cyber Security Initiative (CNCI) 

• Expand CONUS/OCONUS Access 

• New access sites 

• Infrastructure build-out at existing access locations 

• NCC TURMOIL Deployments 

• Explore & Exploit New LOB/Capabilities 

• VPNs 

• Mobility networks 

• F-F Algorithm Development (beyond Port-25) 

• Social networking 

• Explore & Exploit New Partnering Relationships 

• 2 New ISPs 

• Maktoob via data centers 
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Comprehensive National 
Cyber Security (CNCI) 
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Corporate CNCI Funding Profile 






FY10 


FY11 


BLARNEY: 


$ 9.0M 


$12. 1M 


FAIRVIEW: 


$144.0M 


$73. 1M 


STORMBREW: 


$ 80.8M 


$22. 9M 


OAKSTAR: 


$ 17.1M 


$14. 6M 


TOTAL: 


$250. 9M 


$122.7M 
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FY10/FY11 CNCI Expansion 

New Access Sites 

FY10 - 5 new access locations (4 cable, 2 router) 
FY11 - 5 new access locations (1 cable, 4 router) 



Infrastructure Build-outs/Existing Access Expansion 
FY10 anticipated - ingest 530 Gbps of data 
FY11 anticipated - ingest 760 Gbps of data 



TURMOIL Processing Suites (Tech Insertion) 



FY10 = 0 
FY11 =44 



TOTAL = 44* 



- Sliding schedule 



'Original request 55 
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CNCI Challenges 




Legal Framework 

• SIGINT 

• Transit (limited value - attacks aimed at the U.S.) 

• FAA (maximum value - Cyber cert; initial value - 
tie signatures to existing Certs) 

• Defense (.mil, .gov, .dib) 

UTT tasking/targeting tool (ability to task signatures) 

Data repositories 

Analytical support 

TURMOIL defense s/w applications 
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Corporate FAA Reporting 

Metrics 
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Corporate FA A Reporting Metrics 



FAA REPORTS- 
Weekly Stats thru 3 July 10 




350 



300 



250 



200 



150 



100 



50 
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Corporate FA A Reporting Metrics 

FAA Reports by Provider 






m ARTIFICE 

■ LITHIUM 

■ MICROSOFT 

■ YAHOO 

■ GOOGLE 

■ FACEBOOK 

■ PALTALK 

■ SERENADE 
STEELKNIGHT 

■ X 



5-Jun-10 




O 



100 



200 



300 



400 



500 



600 
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Corporate Transit Reporting 
Metrics & Highlights 
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Top Ten SIGADs for 2009 
July. 2009 - June 2010 




14000 



12000 



10000 




US-984X US-990 USJ-751 US-3237 US-984 USJ-799 DS-800 UKC-125 US-983 USJ-759A 



SIGADs 
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SSO FAIRVIEW 
Overview 
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AGENDA 

• (U) FAIRVIEW DEFINED 

• (U) OPERATIONAL AUTHORITIES/CAPABILITIES 

• (U) STATS: WHO IS USING DATA WE COLLECTED 

• (U) FAIRVIEW WAY AHEAD AND WHAT IT MEANS 
FOR YOU 

• (U) QUESTIONS 
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International Cables 

(TS//SI//NF) 




(TS//SI//NF) 
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WHERE SSO IS ACCESSING YOUR TARGET 



(TS//SI//NF) 






SSO 


HP 


UNILATERAL 




PROGRAMS 











CORP 

PARTNER 







SSO 




BLARNEY 
AND PRISM 




RAM-A 

RAM-I/X 

RAM-T 

RAM-M 

DGO 

WINDSTOP 

MYSTIC 




PINWALE XKEYSCORE TURMOIL 



FAIRVIEW 

STORMBREW 

OAKSTAR 



(TS//SI//NF) 
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FAIRVIEW DEFINED 



• (TS//SI//NF) Large SSO Program involves NSA and 
Corporate Partner (T ransit, FAA and FISA) 

• (TS//SI//REL FVEY) Cooperative effort associated with mid- 
point collection (cable, switch, router) 

• (TS//SI//NF) The partner operates in the U.S., but has 
access to information that transits the nation and through its 
corporate relationships provide unique accesses to other 
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Unique Aspects 



(C) Access to massive amounts of data 
(C) Controlled by variety of legal authorities 
(C) Most accesses are controlled by partner 
(C) Tasking delays 
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T ransit Authority 



(TS//SI//NF) 




(TS//SI//NF) 
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Transit Authority 



• (S//SI//REL FVEY) Communications must be confirmed foreign-to- 
foreign. 

• (S//SI //REL FVEY) Filters at front-ends to ensure only authorized traffic 
is forwarded to the DNR and DNI selection engines. 

• (S//SI //REL FVEY) Occasionally the TOPI discovers that one end of the 
intercept is actually in the US. We refer to this as a “domestic incident”. 

• (C) TOPI’s mu st inform SSO Corp Team when this occurs via email alias 
■^^HSSO files a formal report to NSA/SV for each occurrence of 
a domestic incident. 
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US-990 FAIRVIEW-TRANSIT 



(TS//SI//NF) US-990 (PDDG-UY) - key corporate partner 
with access to international cables, routers, and 
switches. 



(TS//SI//NF) Key Targets: Global 

(C) DNR: Directory ONMR 

(C) DNI: Port 25 only under Transit Authority 
All port traffic under FAA Authority 
Cyber access 
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US-984X* - FAA 



(TS//SI//NF) US-984XR (PDDG: YC-DNI) and US-984X2 
(PDDG: 29-DNR) -collecting under FAA authority. Must 
be justified under FAA Certification and selector must be 
foreign. 



(C) DNI and DNR collection 
(U//FOUO) “go FAA” for more information. 
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US-984T - FISA 



(TS//SI//NF) US-984T- Must be justified under FISA 
warrant. 



(C) DNI collection 

(U//FOUO) “go FISA” for more information. 
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Dataflow Diagrams 

April 2012 



Note: Please refer to previous diagrams for decommissioned systems. 


Derived From: NSA/CSSM 1-52 
Dated: 20070108 
Declassify On: 20361101 







Corporate Access-Partner 

Processing - NSAW Site Processing Processing 





SIGAD: US-990 
PDDG: UY 

CASE Root: SSO CASNs 

Routing Designator: LDF , TYB 

Data Classification: TS//SI//NF 
(LDF) and TS//SI (TYB) 

Data Type: DNIText, 

COURIERSKILL 

status messages & updates 

Authority: Transit 

I I Partner Controlled 

| | NSA Controlled 



Storage 



FAIRVIEW LAN(HIGHDECIBEL) 



OOF11 

-OOF15 



FAIRVIEW 

NBP 

MAILORDER 



SITEC 



FAIRVIEW ' + 
SiteC 

MAILORDER 



LDF 



TYB 



OOF## 



CORPORATE 

MAILORDER 



OOF## 




Corporate NSAW 


UYTYB 


CADENCE 


UYLDF 







FISHWAY 


UYLDF t 


SCISSORS 


(Data Batching 




(Data Scanning, 


& Distribution 




Formatting, 


System) 




& Distribution 






System) 



UYLDF 



X KEY SCORE 
For tipping 



PINWALE 
YANKEE 
NF partition 














Corporate Access-Partner 

Processing - NSAW Site Processing Processing 




Transit DNI Metadata (IMDRs) 



PINECONESCIF 



Site Sending 
MAILORDER 



FAIRVIEW LAN(Site C) 



FAIRVIEW 

MAILORDER 




IP Router 




IP Processors 


(IPRs) 




(IPPs) 



DNI Information Media 
Manager Distribution 
Box 



Corporate NSAW 



CORPORATE 

MAILORDER 



UYKLG* 



FALLOUT 



SIGAD: US-990 
PDDG: UY 

CASE Root: SSO CASNs 
Routing Designator: KLG 
Data Classification: TS//SI//NF 
Data Type: ASDF 
Authority: Transit 



I I Partner Controlled 

| | NSA Controlled 



MAINWAY 



MARINA 













Corporate Access-Partner 

Processing - NSAW Site Processing Processing 




Transit DNR Metadata & SMS 




SIGAD: US-990 
PDDG: UY 

CASE Root: SSO CASNs 

Routing Designator: 

CERFC(CDRs) 

CERFG (GTRs & SMS) 

CERUA (VoIP) 

Data Classification: TS//SI//NF 

Data Type: Call Metadata in 
CERF format & targeted SMS 

Authority: Transit 

I I Partner Controlled 

| | NSA Controlled 












Corporate Site Processing Access-Partner 

Processing - NSAW Processing 



FAIRVIEW NSA FISA Email 



















Corporate Site Processing Access-Partner 

Processing - NSAW Processing 



FAIRVIEW NSAFISA IP 
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Cyber Threats and 
Special Source Operations 

A Current Perspective for NTOC 



March 22, 2013 



Classified By: 

Derived From: NSA/CSS^t- 52 
Dated: 20070108 
Declassify On: 20380301 
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TOP SECRE T//SI//N OFORN 

STORMBREW’s BRECKENRIDGE Site was 
100% Subsidized with CNCi Funding 




TOP SECRE T//SI//NOFORN 



TOP SE CRE T//COMINT//NOFORN 




Why SSO? 



■ SSO is “Big Data” 

■ -60% of content 

■ -75% of metadata 

■ We’re different 

■ Nuances of individual programs 

■ Tremendous potential 

■ Need NTOC to guide SSO 
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SSO Access Portfolios 



Foreign 



Relationships with 
2 nd & 3 rd Parties 



Corporate 

Partnerships with 
Telecom Providers 



U nilateral 

Accesses Enabled 
By US Partners 
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SSO Access Portfolios 



Corporate 

BLARNEY 

FAIRVIEW 

STORMBREW 

PRISM 

OAKSTAR 



Foreign 

RAMPART-A 

WINDSTOP 




MYSTIC 

RAMPART-I/X 
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Partner Constraints 



■ Foreign 

■ All Targeting/Signatures exposed to 2P/3P partner for 
approval 

■ Partner approves new capabilities 

■ Corporate 

■ FISA, FAA, TRANSIT authorities 

■ Requires FISC/Do J permission for capabilities 

■ Partner approvals for capabilities (in some cases) 

■ Unilateral 

■ Power/Space/Cooling at site 

■ Bandwidth for data forwarding 

■ Risk of site compromise 
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Authorities 
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Authorities 



TRANSIT 



FAA-702 

STORM BREW 
FAIRVIEW 
PRISM 
BLARNEY 



STORM BREW 
FAIRVIEW 

E012333 

RAM-A 

RAM-I/X WINDSTOP 
RAM-M OAKSTAR 
RAM-T MYSTIC 




FISA 

BLARNEY 
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UNCLASSIFIED//FOR OFFICIAL USE ONLY 




14 MARCH 2013 

Special 1 
Source 
Operations 

Weekly 
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UNCLASSIFIED//FOR OFFICIAL USE ONLY 



(U) CORPORATE TEAM 

(U//FOUO) BRIEFER: 
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(U) Operational Highlight 

(TS//SI//NF) STORMBREW -TRANSIT DNI 

Metadata Collection 

• (TS//NF) Activated on 11 March at BRECKENRIDGE 

* (U//FOUO) Metadata collection is SMTP only at this time 

• (TS//NF) Foreignness is confirmed with IPP from FAIRVIEW 

* (C//REL to USA, FVEY) Data is flowing into MARINA 

happen soon 
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* (U//FOUO) Content collection should 

UPDATE: As of 1826Z on 13 March 2013, 
STORMBREW began content collection 
of SMTP under Transit Authority!! 





LITHIUM (TS//SI//NF) BLARNEY'S covername for one of their corporate 
partners. Need WPG ECI for company name 



NODDY-3 (TS//SI//NF ) FAIRVIEW'S covername for Coverage of Current 
and Forecasted NRTM Circuits. The FAIRVIEW program is acquiring DNI 
access (SAGUARO) from the Partner's DNI backbone which includes 
OC-192 and 10GE peering circuits. The Partner has provided a 
current view of the forecasted and equipped 10GE and OC-192 peering 
circuits at the eight SNRCs as of March 2009. Based on the 
information presented, by the end of 2009, the total number of 
forecasted 10GE peering circuits at the SNRCs will be approximately 
six times greater than OC-192 peering circuits. However, the growth 
in 10GE circuits in 2009 is about 19 times greater than the 
forecasted growth for OC-192 circuits. As these additional links 
become active it is imperitive that FAIRVIEW have the ability and 
the agility to follow SIGINT targets of interest. This action will 
provide 100% coverage of the 2009 forecasted 10GE and OC-192 links. 
This broad coverage approach is a key part of a larger effort to 
recast the FAIRVIEW DNI router access to be more agile and more 
high-value intelligence focused as part of the program's effort to 
provide broad access, continuous survey and focused collection. 



SAGURA (TS//SI//NF ) DNI access from FAIRVIEW'S Partner's DNI 
backbone which includes OC-192 and 10GE peering circuits. The 
Partner has provided a current view of the forecasted and equipped 
10GE and OC-192 peering circuits at the eight SNRCs as of March 
2009. Based on the information presented, by the end of 2009, the 
total number of forecasted 10GE peering circuits at the SNRCs will 
be approximately six times greater than OC-192 peering circuits. 
However, the growth in 10GE circuits in 2009 is about 19 times 
greater than the forecasted growth for OC-192 circuits. As these 
additional links become active it is imperitive that FAIRVIEW have 
the ability and the agility to follow SIGINT targets of interest. 
This action will provide 100% coverage of the 2009 forecasted 10GE 
and OC-192 links. This broad coverage approach is a key part of a 
larger effort to recast the FAIRVIEW DNI router access to be more 
agile and more high-value intelligence focused as part of the 
program's effort to provide broad access, continuous survey and 
focused collection. 



SLIVER (TS//SI//NF ) SLIVER is a proof-of-concept (POC) is an 
effort to enable cross-mission (CNO) collaborative capabilities in a 
global setting. Under the SLIVER initiative, passive IP sensor 
nodes will be deployed at two CONUS sites and two OCONUS sites. 

These nodes will be fed by a small amount of traffic volume. The 
CONUS nodes will support both Lithium commercial network security 
functions, as well as SIGINT and SIGINT-enabled CND applications 




(i.e., end-point characterization data and IP flow data). Within 
the SLIVER timeframe, due to OPSEC constraints, the OCONUS nodes 
will only be configured to support Lithium commercial network 
security functions — any Lithium-derived metadata from the OCONUS 
nodes will be sent to FAIRVIEW's centralized processing facility 
(PINECONE), under applicable SIGINT authority, for analysis and 
exploitation. In addition to these passive sensor nodes, active 
commercial security nodes will also be deployed at both the CONUS 
and OCONUS sites and used commercially in order to provide essential 
mission cover. 



SORA-2 

(TS//SI//NF) IP Access Expansion effort for FAIRVIEW. One of the 
areas of FAIRVIEW's DNI backbone access (Saguaro) that has not yet 
been sufficiently exploited is the access side of the Common 
Backbone (CBB) network. The major reason for this is the sheer 
number of access links - tens of thousands - which would make 100% 
coverage prohibitively expensive. One way to overcome this 
constraint is to monitor uplinks out of the access routers toward 
CBB backbone or aggregation routers. Even so, the number of uplinks 
is still numerous, requiring an additional selection/prioritization 
strategy. Lithium, in concert with ODD, developed a strategy that 
rank orders access routers using several different metrics, such as 
the following: PRI Value, Country Value, PAA Value, CD Value and 

CCCD Value. The top eight router uplinks, as outlined in the 
attached proposal, have been analyzed and deemed of high SIGINT 
interest. Therefore, we are requesting approval to deploy 
monitoring on these uplinks. 
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(S//SI) FA 1RV1EW and STORMBREW: Live' - On the Net 

FROM:^^^^^^^J and 

Special Soure^Jpenitions ( 

Run Date: 1 1/19/2003 

(TS//SI) Two special source collection programs - S332's FAIRVIEW and 
STORMBREW - are producing SIGINT successes by "living on the global intelligent 
network." In September of this year, FAIRVIEW quietly turned on a new DNI (Digital 
Network Intelligence) collection capability that quickly proved a valuable source of 
intelligence: A&P's Office of Proliferation and Arms Control (S2G21 ) issued the first 
SIGINT product report sourced from this new access on September 24. Then, less than a 
month later, the first E-series product report (extremely sensitive serialized reports sent 
to a limited audience) was issued by International Security Issues, (S2C21). Many other 
offices now use this collection, as well - the FAIRVIEW DNI access is extremely high- 
volume and delivers a very broad target set covering all SIGINT product lines. For 
example, the initial deployment of the FAIRVIEW DNI access, for e-mail only, is now 
forwarding more than one million emails a day to the keyword selection system at 
NSAW. 




(TS//SI) STORMBREW has a complementary large-scale DNI collection effort 
(covername PERFECTSTORM) that is just about ready for prime time. As the large- 
scale effort was being developed, STORMBREW deployed several QRC (Quick 
Reaction Capability) collection systems that have yielded critical intelligence supporting 
the Globed War on Terrorism. STORMBREW engineers then worked with FAIRVIEW 
engineers to transfer this collection architecture to FAIRVIEW. Recently, FAIRVIEW 
identified the "other side" of one of the STORMBREW QRC links, and was able to use 
the same collection architecture to rapidly put this new link on cover. This type of 
complementary access provides the A&P analysts with more complete coverage of their 
target. In addition, STORMBREW and FAIRVIEW personnel worked side-by-side with 
CES personnel to add Voice over IP processing capabilities to both of these accesses to 
further exploit the targets' communications. 

(TS//SI) In addition to email, FAIRVIEW and STORMBREW are also collecting 
metadata, or data about the network and the communications it carries. For September 
2003 alone, FAIRVIEW captured several trillion metadata records - of which more than 
400 billion were selected for downstream processing or storage. This metadata will be 
used to enable the surgical collection of much smaller amounts of target-rich data - 
which should extend beyond FAIRVIEW and STORMBREW to many other DNI 
accesses across NSA. This metadata is flowing to MAINWAY (contact chaining 




database) today, and a major interface to the Knowledge System Prototype (KSP) is only 
days away from its operational debut. Both the STORMBREW and FAIRVIEW teams 
are working closely with the Network Analysis Center, the Collection Strategies and 
Requirements Center, and analysts throughout A&P to foster metadata exploitation, 
focus the access, improve the selectors and filters, and hunt for targets within the access. 
This collaborative process is the foundation for SIGINT success on the Net. 

(TS//SI) FAIRVIEW and STORMBREW also provide other major international 
accesses that support all A&P SIGINT product lines. In a recent complementary 
modernization effort, the FAIRVIEW and STORMBREW programs quadrupled 
SIGINT production from these circuit-switched accesses, only a few months after 
implementation. As the FAIRVIEW and STORMBREW programs continue to expand 
their "live" presence on the global net, we are expecting even greater insight into the net 
itself, and the communications of our targets, resulting in similar SIGINT production 
gains from these packet-switched accesses. 



Comments/Suggestions about this article? 
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(T S//SI ) BREC KENRIDGE for STORMBREW Collection 
By on 2009-10-28 1035 



7 October 2009 

(TS//SI//NF) STORMBREW has completed SCIF construction and also 
received security certification for BRECKENRIDGE, its latest 
collection site on 11 September 2009. The 10,000 square foot 
facility is equipped with the necessary power, communications and 
equipment racks to support the planned near-term deployment of 15 
TURMOIL sy^em^j3R)\m^Tc^50G of processing against the newly 
acquired The results of a recent signal 

survey, conducted by SSO, indicates a potentially rich target 
environment of both DNI and DNR. Initial collection system 
dep^jymer^^are scheduled for 2nd quarter 2010. The BRECKENRIDGE/ 

commenced in February 2007 and is the first 
"cable-head" collection effort conducted under STORMBREW. 

( U//F0U0) POC: Deputy PD STORMBREW, 








(TS//SI//NF ) FAIRVIEW : CLIFFSIDE Site - Collection Resumes After ~5 
Mo nths 

By on 2011-08-23 0805 



(TS//SI//NF ) On 5 Aug 2011, collection of DNR and DNI traffic at the 
FAIRVIEW CLIFFSIDE trans-pacific cable site resumed, after being 
down for approximately five months. Collection operations at 
CLIFFSIDE had been down since 11 March 2011, due to the cable damage 
as a result of the earthquake off of the coast of Japan. The initial 
damage assessment showed the loss of collection of 275 El DNR 
circuits and 55 DNI circuits. Since the cable was repaired and 
returned to service (5 Aug), FAIRVIEW operations has tasked 205 El 
DNR circuits and 37 DNI circuits for collection. Enviornmental 
survey continues to compare the old enviornment footprint to the new 
environment footprint and FAIRVIEW operations will continue to task 
collection for all new and restored circuits. 



POC: S35333 , (FAIRVIEW Collection Manager) 






(TS//SI//NF) Mobility Business Records Flow Significantly Increases 
Vo lume of Reco rds Delivered Under BR FISA 
By ^^^^^Hon 2011-08-30 1440 



(TS//SI//NF ) On 29 August, FAIRVIEW started delivering Mobility 
Business Records traffic into MAINWAY under the existing Business 
Record (BR) FISA authorization. The intent of the Business Records 
FISA program is to detect previously unknown terrorist threats in 
the United States through the cell chaining of metadata. This new 
metadata flow is associated with a cell phone provider and will 
generate an estimated 1.1 billion cellular records a day in addition 
to the 700M records delivered currently under the BR FISA. After 
extensive dialogue with the consumers of the BR data, repeated 
testing, a push to get this flow operational prior to the tenth 
anniversary of 9/11, and extensive coordination with external 
entitites via our OGC (to include: FBI, DOJ , ODNI, and FISC) NSA 
received approval to initiate this dataflow on August 29, 2011. 
Analysts have already reported seeing BR Cellular records in the 
Counter Terrorism call-chaining database queries. 





(T S//SI//REL FVEY) FAIRVIEW Tour for Director, Research Directorate 
By on 2012-01-13 0814 

(TS//SI//REL FVEY) On 6 January 2012, Director of NSA's 

Research Directorate, was provided a tou^^^TAlRVIEW's East Coast 
cable station (FRIAR) and FAIRVIEW' s central^e^pi^cessing SCIF 
(PINECONE). In addition to the site tours, also 

received a high level program overview, to in^ula^a^cussion of 
the various authorities the program operates under, current and 
future program Cyber plans and some discussion regarding FAIRVIEW's 
Business Record FISA (BR-FISA) collection. The discussion also 
included mention of the program's FY12 Strategic Initiatives, a 
snapshot of the FAIRVIEW's access & collection footprint, clearly 
depicting the breadth of the access. The day was extremely 
successful and broadened his understanding of this unique 
Government/Partner relationship, highlighted the Partner's extreme 
willingness to help with NSA's SIGINT and Cyber missions and the 
breadth and depth of not only the program's access, but also the 
amazing knowledge of the FAIRVIEW partner's workforce. 



POC: FAIRVIEW Tech Director, S3531 





(T S//SI//REL FVEY) FAIRVIEW Tour 
By on 2012-03-28 1333 



( TS//SI//REL FVEY) On 23 March, S3 a nd GAO Technical D irectors: S3 

HHHHHj anc * 

i | ! 1 1 \WT an^b^STGlNT Lom^^nce and Arcr^^^U^e Lead 

attended the FAIRVIEW partner provided tour of one of 
tn^mjg^m's east coast cable stations (NASSAU SHORE) and the 
program's centralized processing SCIF (PINECONE). A short FAIRVIEW 
overview was provided which led into an in-depth technical 
discussion regarding the program's vast access & collection 
infrastructure, the varying data flows (i.e., DNI, DNR, CDRs, etc.) 
to include program authorities, budget constraints, sensor 
deployments (ETML, VANGUARD and NETFLOW), and endpoint-midpoint 
shaping activities and future opportunities in partnership with 
organizations such as TAO, NCSC and other IC elements such as the 
FBI, DEA and the CIA. The partner also provided a briefing on 
company/USG activities outside of FAIRVIEW (i.e., NEST, DIB Pilot) 
and expounded on current and future program Cyber plans. The day was 
extremely successful and broadened their understanding of this 
unique Government/Partner relationship, highlighted the Partner's 
ability and willingness to help with NSA's SIGINT and Cyber 
missions, provided insight into the breadth and depth of the 
program's access and showcased the highly collaborative nature of 
the FAIRVIEW partner and the value of their intellectual capital. 



POC: 



FAIRVIEW Program Director, 








(T S//SI//NF) United Nations DNI Collection Enabled 
By on 2012-04-18 0853 



(TS//SI//NF) FAIRVIEW and BLARNEY engineers collaborated to enable 
the delivery of 700Mbps of paired packet switched traffic (DNI) 
traffic from access to an 0C192 ring serving the United Nations 
mission in New York. The traffic in these links had been encoded 
using a specific multiplexing technique (GFP). FAIRVIEW engineers 
and the partner worked to provide the correct mapping, and BLARNEY 
worked with the partner to correct data quality issues so the data 
could be handed off to BLARNEY engineers to enable processing of the 
DNI traffic. 

(TS//SI//NF) As of 4 April, BLARNEY began intermittent enablement of 
DNI traffic for TOPI assessment and feedback. This feedback is being 
used by the BLARNEY target development team to support an ongoing 
filtering and throttling of data volumes. While BLARNEY is 
authorized full-take access under the NSA FISA, collected data 
volumes would flood PINWALE allocations within hours without a 
robust filtering mechanism. The initial TOPI feedback has been 
positive, indicating unique collection to include collection against 
the email addr ess of the UN General leading the monitoring mission 
in BLARNEY engineers and analysts assessment indicate 

high quality in both VoIP and VTC collection. 

( U//F0U0) P0Cs^^HBH| FAIRVIEW Engineer, BLARNEY 

Engineer, ^^^^^^f^BnRNEY Target Developer,^^^^^^|| 





